I last used *panel a year ago at an extremely popular, ~$9/month hosting provider (started with the letter 'A'). About a year ago, their reputation began to rapidly sink, due to their rapid growth balanced by an equally rapid decline in quality of customer service and a gradual increase in what appeared to be hacker activity, possibly exploiting the following security holes in *panel's hosting architecture:
1) any user could easily get a listing of all customer accounts on the server
2) all customers' files in the "web" directory were readable by all other customers (no search permission, but the directory name was the same, so you can cd to another customer's web directory blindly, by cd ~user/web/ .. except I've forgotten the name of the "web" directory
3) any user could add files to another customer's website, if the write permissions were open (this was not uncommon at the ISP I had an account with), and using a CGI if the write permissions weren't open
4) using the information gained above, any user could write a CGI (or php script) that could create files in another users website (and effectively hide it)
5) people exploiting these holes were wreaking havoc at their whim, causing the hosting provider's servers to go down frequently
Now, I'm curious if these security holes are still present in *panel.
I noticed Ensim Pro claims to implement virtual filesystems on a per user basis to prevent these sort of security issues. Does anyone have more information about this "ensim" feature? Does it require an "ensim" version of the Linux kernel? Did ensim develop the technology in-house, or simply roll-up some ACL open-source technology? I suppose I should post this to the Ensim thread ..
Full Version: *panel security holes ..
As much as I think that Ensim is very far from perfection, I believe it is the best control panel. I have one server with each control panel: Ensim, Plesk, Cpanel. Ensim is the best because it provides rather safe SSH access that confines users within the limits of their own accounts. Unfortunately, Ensim doesn't provide easy subdomain creation like Cpanel; however, there are many hacks to implement all features not included in Ensim by default. I love Ensim more than Cpanel and definitely much more than Plesk. 
Actually, I have spent the past couple of days trying to secure my box. However, I have not come up with a decent solution to the linux/cgi problem. I've tried sbox, http://stein.cshl.org/WWW/software/sbox/ , and even thought about chrooting sites myself (and making this automatic through wwwacct). I gave up on chrooting them myself. Suexec is not enough.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Despite all of cPanel's great features and despite Ensim's slow updates and 'ugly' interface, I think Ensim may be winning - and it's because of that one category - cgi security.
You have a very good point.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Despite all of cPanel's great features and despite Ensim's slow updates and 'ugly' interface, I think Ensim may be winning - and it's because of that one category - cgi security.
You have a very good point.
QUOTE
Originally posted by ericfire
Actually, I have spent the past couple of days trying to secure my box. However, I have not come up with a decent solution to the linux/cgi problem. I've tried sbox, http://stein.cshl.org/WWW/software/sbox/ , and even thought about chrooting sites myself (and making this automatic through wwwacct). I gave up on chrooting them myself. Suexec is not enough.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Despite all of cPanel's great features and despite Ensim's slow updates and 'ugly' interface, I think Ensim may be winning - and it's because of that one category - cgi security.
You have a very good point.
Actually, I have spent the past couple of days trying to secure my box. However, I have not come up with a decent solution to the linux/cgi problem. I've tried sbox, http://stein.cshl.org/WWW/software/sbox/ , and even thought about chrooting sites myself (and making this automatic through wwwacct). I gave up on chrooting them myself. Suexec is not enough.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Despite all of cPanel's great features and despite Ensim's slow updates and 'ugly' interface, I think Ensim may be winning - and it's because of that one category - cgi security.
You have a very good point.
Howabout submitting your complaint to Cpanel via their TT system in WHM? At least you could say you made a contribution to better the panel world.
I was not trying to rat out cPanel. After all, this is an issue with almost every single Linux shared server w/cgi out there. I love cPanel. I'll submit it. I hope they hear me.
QUOTE
Originally posted by ericfire
Actually, I have spent the past couple of days trying to secure my box. However, I have not come up with a decent solution to the linux/cgi problem. I've tried sbox, http://stein.cshl.org/WWW/software/sbox/ , and even thought about chrooting sites myself (and making this automatic through wwwacct). I gave up on chrooting them myself. Suexec is not enough.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Actually, I have spent the past couple of days trying to secure my box. However, I have not come up with a decent solution to the linux/cgi problem. I've tried sbox, http://stein.cshl.org/WWW/software/sbox/ , and even thought about chrooting sites myself (and making this automatic through wwwacct). I gave up on chrooting them myself. Suexec is not enough.
It has been repeated to me that I should tighten security by tightening Unix permissions. HOWEVER, /etc/passwd must be world-readable, and for this reason, using common everyday cgi scripts, the file can be read and the path to the non-secure /home/*/public_html/*/ directories can be easily found. Once a user's directory is found, all it takes is one file that has been chmoded to 777 in that user's directory for somebody to turn into a cgi script and take over the account. I cannot risk this, and if I cannot find a solution for this, I believe I will switch to Ensim 3.5. I can't afford to be rooted/hacked because of a simple cgi script (cgitelnet, genesis, etc.)
Your point is very valid. This may be OT here, but with ensim 3.1 (I don't speak for 3.5, never upgraded), you can install a suexec mod, that does a chroot right before it runs the script. As a result, the only filesystem available to a cgi is the virtual one it is ran in. A LOT more secure than stock ensim.
Coupled with php safe mode, and php open_basedir, it is fairly secure.
Blacks
QUOTE
Originally posted by blacks
hmm, seems I'm preaching the choir here given your last paragraph, but I just want to stress how important CGI security is!
Yes, that was not my intention either. I should have probably just kept my thoughts to myself. But there may be some people out here that are not aware of this that would like to be.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.